> -----Message d'origine----- > De : Dotan Cohen [mailto:dotancohen@xxxxxxxxx] > Envoyé : samedi 21 avril 2007 03:08 > À : php php > Objet : Preventing SQL Injection/ Cross Site Scripting > > I've got a comments form that I'd like to harden against SQL Injection > / XSS attacks. The data is stored in UTF-8 in a mysql database. I > currently parse the data as such: > ... > The first statement doubles up quotes, it's a bit difficult > to see in the code. > > After seeing this: > http://ha.ckers.org/xss.html > and another similar one for SQL injection, I'm worried that my filters > are not enough. What do the pro php programers out there use? Sql and xss attacks are two different issues that should each be adressed accordingly at at the right time... XSS attacks should be parsed when the form is "checked", sql should be adresssed when you are puting the actuall information in the database. PHP has several functions that adress sql injection issues for example as stated: mysql_real_escape_string(); which will "safely" escape any data used in an sql statement to evade sql injection, thats a good first measure any ways... Second, a mesure that i take for both xss and sql is instead of escaping certain data, i only "allow" certain data, that i consider safe for display on a web site.. I recommend you dig deeper into that xss page you might even find a script that filters xss.. You might even be able to modify it to suit your needs and/or to harden/better it... Regards, Tim -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
